Sophisticated Phishing Campaign Targets 20000 European Companies via HubSpot

Palo Alto Networks Unit 42 researchers have uncovered a large-scale phishing campaign targeting approximately 20,000 users across European automotive, chemical, and manufacturing sectors. The sophisticated operation, which peaked in June 2024, leveraged HubSpot's Form Builder to create malicious redirection links without compromising the platform's infrastructure.

The phishing campaign utilized Docusign-themed emails with embedded PDF attachments and HTML links, strategically directing victims to credential-harvesting pages disguised as Microsoft Azure login interfaces. By exploiting HubSpot's legitimate form-building service, the attackers successfully bypassed traditional email security mechanisms.

Phishing operation flow

Researchers identified at least seventeen unique malicious forms created through HubSpot's platform, predominantly hosted on '.buzz' top-level domain websites. These fake forms were meticulously designed to mimic organizational login portals, increasing the likelihood of successful credential theft.

The threat actors employed sophisticated evasion techniques, including the use of VPN proxies to appear as if they were operating from the victim's geographic region. This approach made their malicious activities blend more seamlessly with legitimate network traffic, making detection significantly more challenging.

Upon successfully compromising an account, the attackers immediately attempted to establish persistence by adding trusted devices and initiating a continuous "tug-of-war" scenario with organizational IT teams. This approach demonstrated a calculated strategy to maintain access to infiltrated Microsoft Azure cloud infrastructures.

Unit 42 researchers noted that the campaign's infrastructure was primarily hosted on Bulletproof VPS providers, allowing threat actors to maintain flexibility and resilience in their attack infrastructure. The operation's precise timing, typically occurring during standard working hours in China, further suggests a potentially state-sponsored or professionally organized cyber threat.

The phishing emails associated with this campaign failed standard authentication checks, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols. Despite these failings, the strategic use of HubSpot's legitimate service helped the malicious communications evade initial security screenings.

For organizations seeking protection, Palo Alto Networks recommends implementing advanced URL and DNS security measures, utilizing threat intelligence services, and maintaining robust multi-factor authentication protocols. The research underscores the evolving sophistication of cyber threats that increasingly exploit trusted digital platforms to orchestrate large-scale credential theft operations.

As digital ecosystems become more interconnected, this campaign serves as a critical reminder of the importance of continuous security awareness, advanced threat detection capabilities, and comprehensive user education about emerging phishing techniques.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: